Workshop on Statistical and Machine
Learning Techniques in Computer
Intrusion Detection
Pyrite or Gold:
It Takes More Than a Pick and Shovel
John McHugh
CERT Research Center
Center for Computer and Communications Security
Carnegie Mellon University
Abstract:
Data mining and statistically based approaches
to intrusion detection
show some promise as useful tools, but many of the results obtained to
date are unlikely to translate well into the field. In this talk, I will
discuss some of the steps that must be taken to determine whether or not
an approach that appears to be useful in a laboratory setting is likely
to fare well in an uncontrolled environment. Perhaps the most important
of these is the nature of the phenomena on which the detection claim is
based. We have seen a large number of cases in which the discriminating
factors turn out to be serendipitous rather than necessary or sufficient,
i.e. there is not a necessary causal relationship between intrusive intent
and the manifestation on which detection is based. The talk will discuss
some interesting cases in detail and make arguments as to why the discriminating
factors discovered are unlikely to hold up in practice. The talk will
conclude with a general discussion of the nature of the Intrusion Detection
problem as an exploration of spaces with high dimensionality and will
make an attempt to establish a framework in which both necessary and sufficient
conditions for the discovery of intrusive activities can be established.
Biography:
John McHugh is a senior member of the
technical staff at the CERT
Coordination Center, part of the Software Engineering Institute at Carnegie
Mellon University where he does research in survivability, network security,
and intrusion detection. He is also affiliated with the Center for Computer
and Communications Security and the Center for Wireless and Broadband
Research, both part of the Department of Electrical and Computer Engineering
at CMU.
Prior to joining CERT, Dr. McHugh was
a professor and chairman of the
Computer Science Department at Portland State University in Portland,
Oregon where he held a Tektronix Professorship. He has been a member
of the research faculty at the University of North Carolina and has taught
at UNC and at Duke University. For a number of years, Dr. McHugh was a
Vice President of Computational Logic, Inc., a contract research company
formed to further the application of formal methods of software design
and analysis in support of security and safety critical systems. While
at CLI, he developed tools for the analysis of covert channels in multilevel
secure systems and worked on the problems associated with the efficient
implementation of formally specified systems. He has also worked for the
Research Triangle Institute, the Navel Research Laboratory, the National
Oceanic and Atmospheric Administration, the University of Minnesota, and
the U.S. Patent Office.
Dr. McHugh received his PhD degree in
computer science from the
University of Texas at Austin. He has a MS degree in computer science
from the University of Maryland, and a BS degree in physics from Duke
University. He is the author of numerous technical papers and reports.
He has served as the chair of the IEEE Computer Society's Technical Committee
on Security and Privacy and is a member of the advisory board for the
International Journal of Information Security. He serves on the program
or advisory committees of many of the major conferences and workshops
in the computer security field.